From owner-freebsd-questions@FreeBSD.ORG Thu Sep 11 22:59:42 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 01FB5104 for ; Thu, 11 Sep 2014 22:59:42 +0000 (UTC) Received: from mail-in7.apple.com (mail-out7.apple.com [17.151.62.29]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id CD3F3136 for ; Thu, 11 Sep 2014 22:59:41 +0000 (UTC) Received: from mail-out.apple.com (mail-out.apple.com [17.151.62.51]) (using TLS with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mail-in7.apple.com (Apple Secure Mail Relay) with SMTP id 18.52.31401.75922145; Thu, 11 Sep 2014 15:59:35 -0700 (PDT) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII Received: from relay6.apple.com ([17.128.113.90]) by local.mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTP id <0NBR004HMEI7AVH0@local.mail-out.apple.com> for freebsd-questions@freebsd.org; Thu, 11 Sep 2014 15:59:35 -0700 (PDT) X-AuditID: 11973e16-f793b6d000007aa9-cf-54122957c7e2 Received: from [17.149.230.166] (Unknown_Domain [17.149.230.166]) (using TLS with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by relay6.apple.com (Apple SCV relay) with SMTP id C7.33.30921.74922145; Thu, 11 Sep 2014 15:59:19 -0700 (PDT) Subject: Re: comparing SSH key and passphrase auth vs. an SSH key *with* a passphrase ... From: Charles Swiger In-reply-to: Date: Thu, 11 Sep 2014 15:58:38 -0700 Message-id: <08D7B04D-CBBF-4330-BAD6-2668F9560964@mac.com> References: To: John Case X-Mailer: Apple Mail (2.1878.6) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrLLMWRmVeSWpSXmKPExsUiON3OWDdcUyjEYOF/ZYuXXzexODB6zPg0 nyWAMYrLJiU1J7MstUjfLoErY2r/ApaC8/wV3z/dZW1g3MDTxcjJISFgIvHsz0VGCFtM4sK9 9WwgtpDALCaJn5/lQGxeAUGJH5PvsXQxcnAwC8hLHDwvCxJmFtCS+P6olQWifAmTxI1tiTAj j9/cydzFyAUU72eSWHRhOztIQlggWuL0xamMIHPYBNQkJkwEO4FTwE1i4rsWZpAwi4CqxIUt mRDjdSWabrxlhLjASuL6rc9Ql7lKfH/2EWyiiICMxINHi6Cul5f48OE4O8haCYHPrBJtt9cy TmAUnoXkg1kIH8xC8sECRuZVjEK5iZk5upl55nqJBQU5qXrJ+bmbGCHhK7aD8eEqq0OMAhyM Sjy8FSyCIUKsiWXFlbmHGKU5WJTEeR13C4QICaQnlqRmp6YWpBbFF5XmpBYfYmTi4JRqYBT7 Ff4z+5ocD7sHT/DTzfZ8NbOOBdlWrL/nw7rPRtT8NatyRpKr5tndR+xdT4nlzflu6335eEL+ leTOVX9PMK1vq1a7mLn+8fcpf/Kylu5yMWpW4wkXdhCs59pReOiMi6rPlYmtWqVmZftuqStp MfGkPIizKQmdZHj/tJLjU959s1crPnY3U2Ipzkg01GIuKk4EAEdTF8hAAgAA X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprPLMWRmVeSWpSXmKPExsUiOPXZMl13TaEQg9/TFSyOzIiwePl1E4sD k8eMT/NZPH5OncoYwBTFZZOSmpNZllqkb5fAlbFx+QrWgokCFccXazQwXuHpYuTkkBAwkTh+ cyczhC0mceHeerYuRi4OIYF+JolfU/+xgSSYBbQkbvx7yQRi8woYSCzZtQmsQVggUmLhoy2s XYwcHGwCahITJoLN5BRwk5h//xgLSJhFQFXiwpZMiCm6Ek033jJC2NoSyxa+ZoaYaCVx/tsp sE1CAq4S3599ZAexRQRkJB48WsQIcZq8xIcPx9knMPLPQnLQLCQHzUIydgEj8ypGgaLUnMRK M73EgoKcVL3k/NxNjKBgayiM2sHYsNzqEKMAB6MSD28Fi2CIEGtiWXFl7iFGCQ5mJRFeBlWh ECHelMTKqtSi/Pii0pzU4kOM0hwsSuK8Tx8DVQukJ5akZqemFqQWwWSZODilGhhZjhqpean+ 7G3lTrmQdmhycd1yrXvNlhdaahnWmXisceRlXVH4gO3wcd9dRVN+CIUoXmw8vOP8vMPnVEpn P+Uvz/28f+XlvrtNn5unpdsfv/S4cqnMuenlmQX39p1Sn3TZ5miH3d9da/wfGb4xmvSMV0JN cq/UxbTFzIJ8kaV2y8senTiqX5mkxFKckWioxVxUnAgATLyk9DICAAA= Cc: FreeBSD - X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Sep 2014 22:59:42 -0000 Hi, John-- On Sep 11, 2014, at 3:04 PM, John Case wrote: > I've always used SSH with simply a password. This has always worked fine for me. > > Lately, I've been thinking that I might like to increase my security by using *both* a UNIX password and an SSH key. That is, I can't log in unless I have my password and my key. However, it doesn't look like SSH supports this - either you do unix password OR you do SSH key, it doesn't look like there is any way to do both. True. SSH lists a set of alternatives like: debug1: Authentications that can continue: publickey,keyboard-interactive ...and each one is a separate valid method to login. > However, what I could do is only use an SSH key, but set a passphrase on that key. The only difference here is that my safety is all bound up in SSH, whereas before it was distributed between SSH and the OS. > > So I'm curious... > > What's the difference between using a UNIX password combined with an SSH key (if that actually worked, which it doesn't) and using an SSH key with a passphrase attached ? Is one of these better than the other ? Are they the same ? > > What's the difference ? They are not the same. Your UNIX password is traditionally a string which is salted and encrypted using DES, SHA1, or similar. An SSH key is actually RSA or DSA public key pair which can be manipulated as generic ASN.1 data via openssl rsa or openssl dsa. For example, you can add or remove a passphrase from an existing keypair via the following: cd ~/.ssh mv id_dsa id_dsa_201409191 openssl dsa -in id_dsa_20140911 -passout 'pass:mypass' -des3 -out id_dsa chmod go-rw id_dsa ...although using AES128 or stronger might be prudent, if everything you login to supports it. (Some other folks seem to recommend using PKCS#8 format.) If you want to improve security, however, either 2-factor auth or OPIE / one-time passwords would be better than SSH key+passphrase. Regards, -- -Chuck